Excerpts from s.773 as introduced in the U.S. Senate: Cybersecurity Act of 2009

The following are interesting excerpts from S.773 that were of particular interest. I strongly suggest reading the full bill and the included comments, as this will be impactful to global information technology security controls in the near future.

SEC. 6. NIST STANDARDS DEVELOPMENT AND COMPLIANCE.

(b) CRITERIA FOR STANDARDS- Notwithstanding any other provision of law (including any Executive Order), rule, regulation, or guideline, in establishing standards under this section, the Institute shall disregard the designation of an information system or network as a national security system or on the basis of presence of classified or confidential information, and shall establish standards based on risk profiles.

Developing standards based on a “Risk Profile” is massively more universal and feasible to execute than the minutiae that exists broadly. It is important to note that the Risk Profile for one institution shall be different than another institution based on the infrastructure, management setup, personnel, and third party service providers enjoined in the business/government processes. This is equally true for businesses, and a point often raised with regards to PCI DSS – that it addresses specific risks for specific data, but is not an appropriate information security framework for all / any / whole businesses.

SEC. 7. LICENSING AND CERTIFICATION OF CYBERSECURITY PROFESSIONALS

(a) IN GENERAL- Within 1 year after the date of enactment of this Act, the Secretary of Commerce shall develop or coordinate and integrate a national licensing, certification, and periodic recertification program for cybersecurity professionals.
(b) MANDATORY LICENSING- Beginning 3 years after the date of enactment of this Act, it shall be unlawful for any individual to engage in business in the United States, or to be employed in the United States, as a provider of cybersecurity services to any Federal agency or an information system or network designated…as a critical infrastructure information system or network, who is not licensed and certified under the program.

The establishment of a mandatory certification program is important, and valuable. I would stipulate that a series of certifications shall be presented (likely from an existing training provider, such as SANS) to provide certifications that reflect specific subject areas (network security; application security; governance and compliance; etc…).

SEC. 14. PUBLIC-PRIVATE CLEARINGHOUSE

(b)(1) shall have access to all relevant data concerning such networks without regard to any provision of law, regulation, rule, or policy restricting such access

The consolidation of “relevant data” will create a large of amount of information that can be transformed into very actionable intelligence for both public and private institutions. It is great that (C ) INFORMATION SHARING allows for the private sector to access this data repository. The amount of trending and innovations that could be developed would be significant. Conversely it is also highly risky to setup widespread data sharing permissions, large scale transmission of likely sensitive data, and the propensity for organizations to institute data masking and privacy measures to limit their risk but also the value of such data.

(2) may declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network

This is a section that has received widespread attention, so I shall not comment but it is a concern that should be evaluated by all parties.